SMTP Client Authentication on Exchange 2016? (SMTP Relay)

Machiavelli 

Your on-premises Exchange Server provides the ability to accept authenticated SMTP messages by default. When you take your ERP software solution as an example, you can follow these steps for the external application:

1. Create a new user mailbox for the ERP application and ensure that the email address and the display name align with your requirements for sending emails 
2. Allow inbound traffic on TCP 587 to your on-premises Exchange servers
   This approach uses the default client submission port TCP 587, which is designed to allow users to deliver authenticated SMTP messages to the Exchange organization for further processing
3. Configure your ERP solution to use TCP 587 + TLS when sending emails, use the credentials used in step 1 for authentication

In this example, I identify the ERP application as an SMTP client that wants to deliver an email message, and not as a server. Therefore, I use the Client Frontend connector on TCP 587 instead of the Default Frontend connector on TCP 25. 

Whitelisting a remote IP address poses a risk for using the Exchange server as an open relay by IP spoofing.

Links

• Mail flow and the transport pipeline (contains a diagram without TCP ports)
• Exchange 2016 + 2019 Mail Flow with Ports (contains the mail flow diagram with TCP ports)